Re: Empty but existing resource | Re: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt

Mike Bishop <> Fri, 07 October 2016 05:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 3FAC4129447 for <>; Thu, 6 Oct 2016 22:54:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -10.016
X-Spam-Status: No, score=-10.016 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HEADER_FROM_DIFFERENT_DOMAINS=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, RP_MATCHES_RCVD=-2.996, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (1024-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id DVhIF4egAYXb for <>; Thu, 6 Oct 2016 22:54:02 -0700 (PDT)
Received: from ( []) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id AD24E127078 for <>; Thu, 6 Oct 2016 22:54:02 -0700 (PDT)
Received: from lists by with local (Exim 4.80) (envelope-from <>) id 1bsO2Y-0007Bd-VN for; Fri, 07 Oct 2016 05:49:51 +0000
Resent-Date: Fri, 07 Oct 2016 05:49:50 +0000
Resent-Message-Id: <>
Received: from ([]) by with esmtps (TLS1.2:DHE_RSA_AES_128_CBC_SHA1:128) (Exim 4.80) (envelope-from <>) id 1bsO2S-0007AL-Nu for; Fri, 07 Oct 2016 05:49:44 +0000
Received: from ([] by with esmtps (TLS1.2:RSA_AES_256_CBC_SHA256:256) (Exim 4.80) (envelope-from <>) id 1bsO2Q-0005vx-Do for; Fri, 07 Oct 2016 05:49:44 +0000
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=ccUb5GkevcHFSI65W9rZBLEWLjYg+O9ONJQ46ZNGqo8=; b=Uc1swaulTGlyygRaeN7L/cCxIHhESQimQSeFdZPks5enEg+Ienrj9KGhy5daKD6fAUVqCHE/ADyifqS2zID7u/7pIL3zWQ0nNz0GteiCQrYe26xQN0311EzQRJ0vsPhCo1ISUMKyg56Le5GQpqynTuKCW2XHPSlfD69zPLfUIyY=
Received: from ( by ( with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384) id 15.1.649.16; Fri, 7 Oct 2016 05:49:14 +0000
Received: from ([]) by ([]) with mapi id 15.01.0649.024; Fri, 7 Oct 2016 05:49:14 +0000
From: Mike Bishop <>
To: Martin Thomson <>, Kari Hurtta <>
CC: Patrick McManus <>, HTTP working group mailing list <>
Thread-Topic: Empty but existing resource | Re: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt
Date: Fri, 07 Oct 2016 05:49:14 +0000
Message-ID: <>
References: <> <> <> <> <> <> <> <> <> <> <>, <>
In-Reply-To: <>
Accept-Language: en-US
Content-Language: en-US
authentication-results: spf=none (sender IP is );
x-originating-ip: []
x-ms-office365-filtering-correlation-id: b1092eea-660a-4f59-b193-08d3ee75ab82
x-microsoft-exchange-diagnostics: 1; BN6PR03MB2705; 7:5kq3vVIF7httXhHEK3+/N6SRjMjXsg0BS/6Rw05/JLSiRgUK8pVxUvHbNx90JACdGYTUfzwuslelZg+8Pe2JVfSWa0ywnzececsvSO50+83kBeTiiAPBZINuQZDmnZLc9VIMe4J/N2dgiQ5cVBQAYLgIw4NMFpoB9ceUaBEQkMqfi80eBNWcxaT/+IWcXsZ5iJkRIXP3LN/QvvTfpQiV35gR5PcCuYNKNMLir9HkPzCJZHj47XZtilitLSRJyjdQ0+637uXkPppGFUnuj56L1FwCJx3WCzvSfyYwNfbu7ZZ9rMOGfKTRB1TgBK/yV5b3+XOmOy2krkLk9txd56KqGA==
x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:;SRVR:BN6PR03MB2705;
x-microsoft-antispam-prvs: <>
x-exchange-antispam-report-test: UriScan:(158342451672863);
x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(61425038)(6040176)(601004)(2401047)(8121501046)(5005006)(10201501046)(3002001)(6055026)(61426038)(61427038); SRVR:BN6PR03MB2705; BCL:0; PCL:0; RULEID:; SRVR:BN6PR03MB2705;
x-forefront-prvs: 0088C92887
x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(7916002)(377454003)(189002)(24454002)(199003)(101416001)(76176999)(3280700002)(76576001)(54356999)(122556002)(10290500002)(50986999)(9686002)(230783001)(105586002)(93886004)(99286002)(92566002)(106356001)(3660700001)(10400500002)(106116001)(2900100001)(77096005)(15975445007)(66066001)(5005710100001)(19617315012)(19580405001)(19580395003)(86612001)(10090500001)(2950100002)(16236675004)(33656002)(7906003)(5002640100001)(8990500004)(16601075003)(19625215002)(8936002)(3846002)(102836003)(2906002)(8676002)(6116002)(7696004)(189998001)(7846002)(586003)(4326007)(86362001)(81156014)(11100500001)(5660300001)(87936001)(81166006)(74316002)(68736007)(7736002)(97736004)(5001770100001); DIR:OUT; SFP:1102; SCL:1; SRVR:BN6PR03MB2705;; FPR:; SPF:None; PTR:InfoNoRecords; MX:1; A:1; LANG:en;
received-spf: None ( does not designate permitted sender hosts)
spamdiagnosticoutput: 1:99
spamdiagnosticmetadata: NSPM
Content-Type: multipart/alternative; boundary="_000_BN6PR03MB2708B10DA14691402007A1F587C60BN6PR03MB2708namp_"
MIME-Version: 1.0
X-MS-Exchange-CrossTenant-originalarrivaltime: 07 Oct 2016 05:49:14.4284 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN6PR03MB2705
Received-SPF: pass client-ip=;;
X-W3C-Hub-Spam-Status: No, score=-1.5
X-W3C-Hub-Spam-Report: BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_PASS=-0.001, SPF_PASS=-0.001, W3C_NW=0.5
X-W3C-Scan-Sig: 1bsO2Q-0005vx-Do fcafd5b2aff5a5a3b9d9c0f064fe69c8
Subject: Re: Empty but existing resource | Re: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt
Archived-At: <>
X-Mailing-List: <> archive/latest/32511
Precedence: list
List-Id: <>
List-Help: <>
List-Post: <>
List-Unsubscribe: <>

Fair enough that the Alt-Svc could have been inserted by an attacker that knows that particular server is scheme-insensitive and wants to provoke whatever the misbehavior is.  Validating the agreement over TLS for that reason makes more sense to me.  I still would argue that client SHOULD check for this (not MUST) simply because a client could follow the Alt-Svc header without checking .w-k and be perfectly compliant with RFC 7838.  The client isn't requesting additional functionality via Opp-Sec, but gaining a way to double-check the alternative's intent/ability to play along when the initial reference was vulnerable to meddling.  (Unless we're proposing to update RFC 7838 by adding that MUST?)

While I certainly grant that it's possible for apps above the server layer to handle this incorrectly as well, I think a lot of that gets mitigated if the server layer properly tells the app that the requested URL was  (I believe ours actually overrides the scheme as presented, so an app basically never has the chance to get it right.)  While apps are endlessly creative in ways to get things wrong, your odds are at least much better if the server is capable of delivering the correct requested URL to the application.
From: Martin Thomson <>
Sent: Thursday, October 6, 2016 10:11:37 PM
To: Kari Hurtta
Cc: Mike Bishop; Patrick McManus; HTTP working group mailing list
Subject: Re: Empty but existing resource | Re: SETTINGS_MIXED_SCHEME_PERMITTED | Re: I-D Action: draft-ietf-httpbis-http2-encryption-07.txt

On 7 October 2016 at 15:21, Kari Hurtta <> wrote:
> I do not not like existing but empty resource test.
> I have seen some instructions (for load balancer)
> that how to convert http 404 to http 200 with empty page
> (or response).

Then insist on it being text that includes the origin.